[cairo-bugs] [Bug 10730] potential controllable integer overflow in cairo-png.c

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Apr 24 06:20:13 PDT 2007


------- Comment #5 from otaylor at redhat.com  2007-04-24 06:20 PST -------
I don't remember all the considerations, but for the
same math in gdk_pixbuf_new() I decided to go with the simple approach of
dividing out and making sure that the result was the same:

        rowstride = width * channels;
        if (rowstride / channels != width || rowstride + 3 < 0) /* overflow */
                return NULL;

        rowstride = (rowstride + 3) & ~3;

        bytes = height * rowstride;
        if (bytes / rowstride !=  height) /* overflow */
                return NULL;

(The quantities here are signed, so that's one reason that the "check if
the result is less" approach doesn't work. C doesn't even define the
results of an overflowing multiplication of signed integers, IIRC. But 
there may be other reasons as well. or not.)

Configure bugmail: http://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the cairo-bugs mailing list